fwminex: +grafana

This commit is contained in:
Motiejus Jakštys 2024-08-03 05:57:15 +03:00
parent ce302838ae
commit 283e10b9b5
6 changed files with 80 additions and 2 deletions

View File

@ -209,6 +209,7 @@
sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age;
borgbackup-password.file = ./secrets/fwminex/borgbackup-password.age;
grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age;
photoprism-admin-passwd.file = ./secrets/photoprism/admin_password.age;
syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age;
syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age;

View File

@ -131,6 +131,7 @@ in
}
];
};
};
mj = {
@ -155,6 +156,12 @@ in
sshguard.enable = false;
gitea.enable = true;
grafana = {
enable = true;
port = myData.ports.grafana;
oidcSecretFile = config.age.secrets.grafana-oidc.path;
};
tailscale = {
enable = true;
verboseLogs = false;

View File

@ -7,6 +7,7 @@
./deployerbot
./friendlyport
./gitea
./grafana
./hass
./headscale
./jakstpub

View File

@ -0,0 +1,70 @@
{ config, lib, ... }:
let
cfg = config.mj.services.grafana;
in
{
options.mj.services.grafana = with lib.types; {
enable = lib.mkEnableOption "enable grafana";
port = lib.mkOption { type = port; };
oidcSecretFile = lib.mkOption { type = str; };
};
config = lib.mkIf cfg.enable {
services.grafana = {
enable = true;
provision = {
enable = true;
datasources.settings = {
apiVersion = 1;
datasources = [
{
name = "Prometheus";
type = "prometheus";
access = "proxy";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
isDefault = true;
jsonData.timeInterval = "10s";
}
];
};
};
settings = {
paths.logs = "/var/log/grafana";
server = {
domain = "grafana.jakstys.lt";
root_url = "http://grafana.jakstys.lt";
enable_gzip = true;
http_addr = "0.0.0.0";
http_port = cfg.port;
};
users.auto_assign_org = true;
users.auto_assign_org_role = "Editor";
# https://github.com/grafana/grafana/issues/70203#issuecomment-1612823390
auth.oauth_allow_insecure_email_lookup = true;
"auth.generic_oauth" = {
enabled = true;
auto_login = true;
client_id = "5349c113-467d-4b95-a61b-264f2d844da8";
client_secret = "$__file{/run/grafana/oidc-secret}";
auth_url = "https://git.jakstys.lt/login/oauth/authorize";
api_url = "https://git.jakstys.lt/login/oauth/userinfo";
token_url = "https://git.jakstys.lt/login/oauth/access_token";
};
feature_toggles.accessTokenExpirationCheck = true;
};
};
systemd.services.grafana = {
preStart = "ln -sf $CREDENTIALS_DIRECTORY/oidc /run/grafana/oidc-secret";
serviceConfig = {
LogsDirectory = "grafana";
RuntimeDirectory = "grafana";
LoadCredential = [ "oidc:${cfg.oidcSecretFile}" ];
};
};
};
}

View File

@ -32,7 +32,6 @@ in
{ }
// mk ([ vno1-oh2 ] ++ motiejus) [
"secrets/vno1-oh2/borgbackup/password.age"
"secrets/grafana.jakstys.lt/oidc.age"
"secrets/letsencrypt/account.key.age"
"secrets/vaultwarden/secrets.env.age"
@ -57,7 +56,7 @@ in
vno1-oh2
]
++ motiejus
) [ ]
) [ "secrets/grafana.jakstys.lt/oidc.age" ]
// mk ([ fwminex ] ++ motiejus) [
"secrets/motiejus_server_passwd_hash.age"
"secrets/root_server_passwd_hash.age"

Binary file not shown.